It’s the Holiday Season! That means time with family and friends, parties and too many goodies. It also means crowded stores filled with frantic shoppers and other distractions, gazillions of receipts and online shopping – these all add to the risk of identity theft during the holiday season. There are many resources giving guidance and tips on how to prevent or lower the risk of identity theft. For example:
- Be careful with passwords (“password” is the #1 worst used password)
- Don’t keep your Social Security card in your wallet
- Require photo ID verification for credit card
- Watch for “shoulder-surfers” who are looking over your shoulder to gain access to a pin number or account number.
- Shred bills, medical statements, financial statements and anything that may contain personal ID data.
- Monitor credit reports
- Use a secure website when ordering online.
Identity theft can occur at any time of the year, not just during the Holiday Season. According to reports from the Better Business Bureau and Javelin Research, approximately 10 million Americans a year are victims of identity theft. Unfortunately for employers, the incidence of identity theft has been on the increase and the workplace is ranked the number one source. Some of the most sensitive information about an employee typically is located in the HR department. Personnel files, medical files, benefits data, payroll and tax records can be a goldmine for would-be identity thieves. This is a growing concern for employers especially with the move towards a “paperless society” and the increased incidence of personal data contained in electronic storage.
Identity theft occurs when someone fraudulently obtains and uses another individual’s personal information, such as name, Social Security number and credit card number, without the victim’s knowledge or authorization. The identity thief is not necessarily the highly technical, computer savvy employee. In fact, it is usually someone hired to do a lower level task such as filing or data entry. Identity theft or a security breach can occur in the workplace in several ways:
- Malicious Intent: In this instance, an employee of a company knows they have access to personal information and knows exactly how to get it. This person may use the stolen information for themselves or sell the information on the street multiple times.
- Carelessness: There could be the best security and records protection that money can buy, but if an employee is careless with sensitive information, it can fall into the wrong hands and identity theft can occur. Below is an example:
Seven senior managers, all earning at least $2.5 million a year (HR.BLR)
These senior managers had done a Securities and Exchange Commission filing. The outside counsel representing the corporation had all their personal information in his office. A cleaning service came in, photocopied all of it, and sold it for about $150 per name. The group behind the theft then called the credit card companies for each of these people. They said, ‘I am no longer living at … and gave the address, I’ve moved to … please send my invoices to the new address.’ The next day they called and said, ‘I’m going to put my wife on the account, and her name is….’ In this particular case, there were multiple raids on the cleaning service, and they recovered 300 cell phones, 5,000 credit cards, a couple hundred names and addresses, all of which resulted from ID theft.
- Employee is a victim of a crime: In this instance, the employee may leave a laptop or sensitive files in their car or home. The car or home is broken into and the laptop/files are stolen. Though the thief most likely wanted just the laptop, they just hit the identity thief jackpot. In this case the employee unwillingly and unintentionally has given the identity thief sensitive information about clients or co-workers.Below is an example from HR.BLR:
The State Auditor’s Office in Ohio had a particularly bad data breach when backup tapes containing taxpayer information were stolen from a car that had been parked overnight. These tapes were stolen from an intern’s car parked outside of his home. The intern was working for the Auditor’s Office and given permission to take these tapes home, but the incident ended up affecting 1.3 million people and businesses.
What can employers do to guard against identity theft?
Employers must understand the risks of identity theft and implement the necessary systems to protect the security of employee information to minimize liability for unauthorized access, breach, or theft of personal information. Just as there are guidelines for individuals, employers can take steps and implement basic practices to minimize identity theft.
- Shred all discarded employee information, including information on temporary, contract and former employees.
- Keep personnel files and customer information locked up and secure.
- Take time to verify a new employee’s Social Security number by contacting the Social Security Administration.
- Avoid using Social Security numbers as a form of identification for employees. It is more secure to use a computer-based random number generator instead.
- Ask the MIS department if the network has appropriate firewalls and adequate protection from hackers.
- Ensure the company only collects essential personal information from employees.
- Restrict access to personnel files and follow the recordkeeping rules of separating medical files, personnel files, I-9s, etc. Ensure employees are informed of who has authorized access to different information.
- Eliminate duplicate employee information that is confidential within the organization. For example: a supervisor may have their own files on their subordinates.
- Have a plan ready to act quickly in the event a theft or data breach occurs.
In addition to the information above, there are laws – both state and federal laws governing an employer’s use, maintenance, storage, access to and destruction of employee and applicant information. These laws provide guidance and resources for employers regarding the protection of employee information, but they also expose companies to fines and lawsuits if the employer is found negligent. Below are the types of penalties an employer may be subjected to:
- Federal and State fines of $3,500 per occurrence
- Civil liability of $1,000 per occurrence
- Class-action lawsuits with no statutory limitation
- Responsible for actual losses of each individual ($92,000 average)
Monitoring and Auditing Information
There are many organizations that provide sources and monitor identity theft. Below are a few organizations and their purpose:
- Federal Trade Commission (www.ftc.gov ) regularly surveys the incidence of identity theft and has issued guidance tips for businesses on protecting personal employee information and what to do in the event of a security breach.
- Identity Theft Resource Center (www.idtheftcenter.org ) is a non-profit organization that regularly reports on data breaches affecting businesses, medical/healthcare organizations, government/military entities, etc. In addition, ITRC also provides information and resources to victims of identity theft.
- Privacy Rights Clearinghouse (www.privacyrights.org ) is a non-profit consumer education and advocacy project regarding privacy. In addition, PRC reported that an increasing number of identity theft instances can be traced back to employees in the workplace who have access and obtain sensitive employee information.
Conducting a periodic audit on the processes used to secure confidential and sensitive employee information is one method to test the effectiveness. Consider the audit as a type of preventative maintenance on employee data. It would be much better for an organization to identify deficiencies through an internal audit than to find out such deficiencies exist as a result of a data breach.
For more information about preventing identity theft and employee training, please feel free to contact me at email@example.com. Click here to download our white paper titled National Summary & Analysis of Identity Theft for additional tips and guidance on preventing identity theft in the work place.